Cyber Posture

CVE-2026-21514

HighCISA KEVActive Exploitation

Published: 10 February 2026

Published
10 February 2026
Modified
11 February 2026
KEV Added
10 February 2026
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0539 90.2th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Description

Reliance on untrusted inputs in a security decision in Microsoft Office Word allows an unauthorized attacker to bypass a security feature locally.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2026-21514 by requiring timely installation of Microsoft patches as provided in MSRC guidance to remediate the flaw in Word's security decision-making.

SI-10 Information Input Validation good match
prevent

Prevents exploitation of the vulnerability by enforcing validation of untrusted inputs prior to their use in security decisions within Microsoft Office Word, directly countering CWE-807.

AC-24 Access Control Decisions good match
prevent

Ensures access control decisions, such as those bypassed in Word, are made at trusted decision points isolated from untrusted inputs, preventing local security feature bypass.

Security SummaryAI

CVE-2026-21514 is a vulnerability in Microsoft Office Word caused by reliance on untrusted inputs in a security decision, corresponding to CWE-807. Published on 2026-02-10, it enables an unauthorized attacker to bypass a security feature locally. The issue carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to substantial impacts on confidentiality, integrity, and availability.

Exploitation requires local access with low complexity and no privileges, but user interaction is necessary. An unauthorized attacker can leverage this to bypass security protections in Word, potentially leading to high-level compromise of the affected system given the elevated confidentiality, integrity, and availability impacts.

Microsoft's Security Response Center (MSRC) offers update guidance and mitigation details at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21514. The vulnerability is also referenced in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-21514.

Details

CWE(s)
CWE-807
KEV Date Added
10 February 2026

Affected Products

microsoft
365 apps
all versions
microsoft
office long term servicing channel
2021, 2024

MITRE ATT&CK Enterprise TechniquesAI

T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
attack.mitre.org →
Why these techniques?

The vulnerability explicitly enables bypassing a security feature in Microsoft Office Word via exploitation of untrusted inputs, directly mapping to T1211 (Exploitation for Defense Evasion).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References